From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>

Date: Thu, 15 Nov 2012 14:32:18 +0100

Subject: [PATCH] Escape new-lines in Cookie and P3P headers

This is relevant difference between CGI 3.62 and 3.63.

See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.

Back-ported for 3.51

---

 lib/CGI.pm  | 24 ++++++++++++------------

 t/headers.t |  6 ++++++

 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/lib/CGI.pm b/lib/CGI.pm

index d320d7f..7436a51 100644

--- a/lib/CGI.pm

+++ b/lib/CGI.pm

@@ -1550,8 +1550,17 @@ sub header {

                             'EXPIRES','NPH','CHARSET',

                             'ATTACHMENT','P3P'],@p);

+    # Since $cookie and $p3p may be array references,

+    # we must stringify them before CR escaping is done.

+    my @cookie;

+    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {

+        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;

+        push(@cookie,$cs) if defined $cs and $cs ne '';

+    }

+    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';

+

     # CR escaping for values, per RFC 822

-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {

+    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {

         if (defined $header) {

             # From RFC 822:

             # Unfolding  is  accomplished  by regarding   CRLF   immediately

@@ -1595,18 +1604,9 @@ sub header {

     push(@header,"Status: $status") if $status;

     push(@header,"Window-Target: $target") if $target;

-    if ($p3p) {

-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';

-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));

-    }

+    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;

     # push all the cookies -- there may be several

-    if ($cookie) {

-	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;

-	for (@cookie) {

-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;

-	    push(@header,"Set-Cookie: $cs") if $cs ne '';

-	}

-    }

+    push(@header,map {"Set-Cookie: $_"} @cookie);

     # if the user indicates an expiration time, then we need

     # both an Expires and a Date header (so that the browser is

     # uses OUR clock)

diff --git a/t/headers.t b/t/headers.t

index 661b74b..4b4922c 100644

--- a/t/headers.t

+++ b/t/headers.t

@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');

 like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),

     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';

+eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };

+like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');

+

+eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };

+like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');

+

 eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };

 like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');

-- 

1.7.11.7